From: James Smart <jsmart2021@gmail.com>
To: linux-scsi@vger.kernel.org
Cc: James Smart <jsmart2021@gmail.com>, Justin Tee <justin.tee@broadcom.com>
Subject: [PATCH 4/8] lpfc: Fix use-after-free in lpfc_unreg_rpi() routine
Date: Wed, 20 Oct 2021 14:14:13 -0700 [thread overview]
Message-ID: <20211020211417.88754-5-jsmart2021@gmail.com> (raw)
In-Reply-To: <20211020211417.88754-1-jsmart2021@gmail.com>
An error is detected with the following report when unloading the driver:
"KASAN: use-after-free in lpfc_unreg_rpi+0x1b1b"
The NLP_REG_LOGIN_SEND nlp_flag is set in lpfc_reg_fab_ctrl_node(), but
the flag is not cleared upon completion of the login.
This allows a second call to lpfc_unreg_rpi() to proceed with nlp_rpi
set to LPFC_RPI_ALLOW_ERROR. This results in a use after free access
when used as an rpi_ids array index.
Fix by clearing the NLP_REG_LOGIN_SEND nlp_flag in
lpfc_mbx_cmpl_fc_reg_login().
Co-developed-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
---
drivers/scsi/lpfc/lpfc_hbadisc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
index 0b1e1cc00e01..4c068fbb550a 100644
--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
+++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
@@ -4372,6 +4372,7 @@ lpfc_mbx_cmpl_fc_reg_login(struct lpfc_hba *phba, LPFC_MBOXQ_t *pmb)
ndlp->nlp_state);
ndlp->nlp_flag |= NLP_RPI_REGISTERED;
+ ndlp->nlp_flag &= ~NLP_REG_LOGIN_SEND;
ndlp->nlp_type |= NLP_FABRIC;
lpfc_nlp_set_state(vport, ndlp, NLP_STE_UNMAPPED_NODE);
--
2.26.2
next prev parent reply other threads:[~2021-10-20 21:14 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-20 21:14 [PATCH 0/8] lpfc: Update lpfc to revision 14.0.0.3 James Smart
2021-10-20 21:14 ` [PATCH 1/8] lpfc: Revert LOG_TRACE_EVENT back to LOG_INIT prior to driver_resource_setup James Smart
2021-10-20 21:14 ` [PATCH 2/8] lpfc: Wait for successful restart of SLI3 adapter during host sg_reset James Smart
2021-10-20 21:14 ` [PATCH 3/8] lpfc: Correct sysfs reporting of loop support after SFP status change James Smart
2021-10-20 21:14 ` James Smart [this message]
2021-10-20 21:14 ` [PATCH 5/8] lpfc: Allow PLOGI retry if previous PLOGI was aborted James Smart
2021-10-20 21:14 ` [PATCH 6/8] lpfc: Fix link down processing to address NULL pointer dereference James Smart
2021-10-20 21:14 ` [PATCH 7/8] lpfc: Allow fabric node recovery if recovery is in progress before devloss James Smart
2021-10-20 21:14 ` [PATCH 8/8] lpfc: Update lpfc version to 14.0.0.3 James Smart
2021-10-21 3:34 ` [PATCH 0/8] lpfc: Update lpfc to revision 14.0.0.3 Martin K. Petersen
2021-10-27 4:00 ` Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211020211417.88754-5-jsmart2021@gmail.com \
--to=jsmart2021@gmail.com \
--cc=justin.tee@broadcom.com \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.